Community discussions

MikroTik App
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Securing a small network

Sat May 07, 2022 1:12 pm

Hi All

I'm slowly but surely starting to button things up on our office network (at very least I can say I tried as I am no professional πŸ˜…). My original plan was purely based on controlling MAC addresses (set DHCP to static only and no reply on ARP) but I have since become aware that apart from the issue with today's phones which use random MACs, it is also becoming increasingly easy to spoof MAC addresses so it simply doesn't seem viable any longer.

So the short question (which I'm sure is going to have a long answer) is, what is the best way to secure one's network (keeping in mind this is for an SME, not an international conglomerate). Our current layout is quite basic, we have a few wired devices, Desktops/printers and 2 x APs (Unifi) for mobiles and laptops, which all connect to a hEX, which we use for internet access and DHCP etc.

If you don't mind nudging me in the right direction, it would be much appreciated πŸ˜‰

Thanks,
R
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sat May 07, 2022 1:57 pm

It is also becoming increasingly easy to spoof MAC addresses

I'll quibble with "increasingly:" it's been as easy as it's ever going to get for a decade or so. You can literally go into your Windows networking control panel and put in anything you like.

MAC address based security has been amateur-hour since the time the MAC was no longer burned into a PROM chip on the network card, and it wasn't awesome even then.

We're at peak pointlessness. :)

what is the best way to secure one's network

I would've said "use dot1x" until this exchange. Until they fix the problem where only one host needs to authenticate on a given port to open it wide, it's nearly as worthless as MAC address filtering. It's like one of those metal detector arches: it only works if you force all traffic through that choke point.

Until then, I say "authenticate services, not devices." So, client-side certs, SSH keys, strong passwords, time-based one-time codes, etc. The mere fact that a device can be on the network doesn't prove it's benign.

Even with an ideal dot1x implementation, there's still the threat of malware worms: host A might be legitimately allowed on the network, but if it's running malware, your hEX S isn't in any position to kick it off the net.

Others will encourage VLANs, but it's easy to run yourself into a corner that way, where hosts on VLAN A have to talk to hosts on VLAN B, and now you've got a problem making sure each and every interaction is safe. It's not impossible, but you'll get yourself a fine education in minutiae that way.

we have a few wired devices, Desktops/printers and 2 x APs (Unifi) for mobiles and laptops,

What then is your threat model? When you talk about MAC filtering, you imply that other devices could connect. Which ones, and how? Knowing that might suggest methods to block them.

For instance, if the worry is about rogue WiFi clients, the solution is strong WPA settings. Until you can connect to the WiFi, you can watch the pseudorandom noise fly by all day and gain nothing from it.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Sat May 07, 2022 2:17 pm

MikroTik provide some very good guidance in the following link Securing your router
And pay specific attention to the subsections Titled:
Building Your First Firewall
Building Advanced Firewall

Another excellent source that you will find may be helpful The DEFACTO DEFAULT FIREWALL Setup
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Securing a small network

Sat May 07, 2022 8:01 pm

Thanks guys πŸ‘πŸ‘

mozerd, I'm busy reading through those firewall guides and making tweaks as I go, already managed to "break" something but in a good way ie. it's now working like it always should have πŸ˜‰

tangent, yeah I've been scanning the web to get an idea of what methods people are using but I'm casting the net a bit wide as I don't have much experience in this field, yet, and my worry was if I had to go down each rabbit hole to see if the solution worked or not, I might never get back to my actual work, hence me rather asking here πŸ˜…

The reason for the "control" is two-fold, on the one side I don't want any funployees to plug devices in or connect to the wifi without authorization (we finally found the culprit that spread ransomware onto our file server yesterday, 2 years later (some server from a manufacturer we work with) and on the other side, even though we no longer host our information locally (Microsoft 365) I still don't want anyone to get onto the network and possibly find some device that has access to SharePoint (I know we should make sure all devices are secure and we do enforce MFA, but you never know with funployees).
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sat May 07, 2022 8:22 pm

plug devices in or connect to the wifi without authorization

In that case, I'd rely on physical security: put the router in a locked room that only people you trust can enter. If you put live Ethernet ports connected to sensitive LANs out where untrustworthy people can get to them, you deserve what you get. Down that path lies cryptomalware and MITM attacks.

VLANs doesn't apply if I'm reading your reply correctly: you don't want to offer conditional access, you want total control. That's the basis for my suggestion, but change the premise, change the answer. This is what I mean by defining your threat model.

(we finally found the culprit that spread ransomware onto our file server yesterday, 2 years later (some server from a manufacturer we work with)

That sounds like you plugged a product you bought into your own network. RouterOS can't help you with that problem. It isn't a content-filtering security gateway; it's a router.

you never know with funployees

Maybe if you stop being disrespectful to them, some of them will return the regard.

People treated as idiots tend to behave as idiots. That's a disservice to them and a provoked risk to your operation. Disrespect serves no one.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Securing a small network

Sat May 07, 2022 9:00 pm

where there's a will there's away
What you asking is not possible only at the router you should secure your clients too.

if I were in your shoes,
The router at the top of the chain runs Firewall, DHCP, DNS, etc... (disable every NIC that is not used)
I would create a DMZ in a virtual environment like a NAS that runs some VM or an ESXi - all local services AD, endpoint security solutions like https://www.broadcom.com/products/cyber ... y/endpoint (all the devices should run active directory and the security APP - no more malware no load on the router forward chain rules ), backup solutions like Veem for local VMs, central log solution
use wifi authentication that separates every user like EAP and then use static IP in your radius server. now no matter what is the client's mac address you know how's done what.

there are so many other ways to secure it more but it will take more effort and requires more resources.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Securing a small network

Sat May 07, 2022 11:46 pm

I'm assuming I struck a nerve, I was merely quoting a funny comment from a movie, but ok.

I understand that the router can't do anything about malware and such and this is exactly my point. If I can set things up in such a way that if someone were to connect a device, that neither by DHCP nor static IP it would be able to communicate on the network, that would be half the battle won, no?

I don't think disabling ports will gain much, what stops someone from unplugging a device and plugging into that port? All switches and the router are in locked cabinets, but again the previous point pops up. As for the wireless, that is running WPA 2 with a strong password but again, passwords are like pin reader access control, you can never really account for all the people in whose hands that ends up.

I quickly glanced over RADIUS and that seems like it might be a step in the right direction, I'm just wondering how complicated that is going to turn out on the core side AND the user side (mobiles, tablets, laptops etc.).

https://security.stackexchange.com/ques ... -directory ... so according to the answer from Thomas, RADIUS and AD will both accomplish what we require, so now I'll just have to see which will be the "easiest" (yeah I know I just jinxed it) to implement. Thanks own3r1138 πŸ‘

PS. We are also running Kaspersky on our office machines now.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Securing a small network

Sun May 08, 2022 12:14 am

You can not stop people from setting static IP on their devices if they both use the same broadcast domain.
don't think disabling ports will gain much
it will help
what stops someone from unplugging a device and plugging into that port
src mac address set in the firewall if not this then drop. just for physical interfaces that you use all other disabled.
As for the wireless
If you use WPA2 EAP there is no single pre-share key for every user you can create a username password and you can limit the online session to one so no one will give their username and password to anybody else.
I'm just wondering how complicated that is going to
core side
viewtopic.php?t=184630
client side
easy as any other username and password AUTH
enterprise.png
the article from your link refers to LDAP it doesn't have anything to do with WPA2 EAP.
We are also running Kaspersky on our office machines now
if that is not ENDPOINT then it's useless. Users should not be able to disable any protection or change any setting.

.
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Sun May 08, 2022 4:23 am, edited 3 times in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sun May 08, 2022 12:38 am

I'm assuming I struck a nerve, I was merely quoting a funny comment from a movie, but ok.

I have no personal axe to grind. I'm just trying to draw a line between using disparaging terms to refer to one's employees and complaints that they're infecting the network. Treat your people like intelligent, responsible people, and some of them might well step up. Treat them like irresponsible threats, and that's what some of them will turn out to be.

You can't fix people with technology. You can fix people with people; that's part of good management.

what stops someone from unplugging a device and plugging into that port?

Same answer as above: physical security. Put the trusted wired device in a locked cabinet or desk-mount sleeve or whatever, so untrustworthy people can't get at their connectors. (Example)

Most museums, schools, and libraries have their public computers secured in this manner, for that reason, so the products for doing this are plentiful. The only difficult bit is finding ones that fit your particular gear.

passwords are like pin reader access control

That's why own3r1138 recommended EAP. Every user gets a unique key that lets them in. If two hosts try to authenticate with the same key, the auditing features let you find out who let their key get loose.

I quickly glanced over RADIUS and that seems like it might be a step in the right direction

RADIUS is a common service used by several other services. It is not something you turn on and use solo. Quoting the docs: "RouterOS has a RADIUS client that can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP, and ISDN connections." Let's run those down:

  • HotSpot: Not really applicable for you. You aren't running public WiFi access, as in a coffee shop or hotel.
  • PPP/PPPoE/PPTP: Obsolete tech, for the most part, and not really helpful for your case anyway.
  • L2TP: Much better than PPTP when coupled with IPsec and/or IKEv2, but putting each client on a VPN is overkill.
  • ISDN: Obsolete and inapplicable.

What isn't in that list are two things that might help: WPA-EAP, as mentioned above, to secure the wireless with per-client keys instead of shared passwords, and dot1x to secure the wired connections in the same manner. Unfortunately, RouterOS's dot1x implementation is terribly leaky, so if you absolutely had to have authenticated wired conns, setting up in-house per-host VPNs would be your next option. Again, overkill, but it'd work.

how complicated that is going to turn out on the core side AND the user side (mobiles, tablets, laptops etc.).

Quite. This is the sort of thing professional network engineers get paid to do, 40+ hours a week solid.

It needn't be a full-time occupation for a small LAN, but it will require hours of work up front, occasional auditing, and ongoing maintenance as valid clients come and go.


AD is more suited to the "authenticate services, not devices" level of things. To make it do what RouterOS can, you'd have to set your Windows Server up as a VPN gateway and gate access to it based on AD authentication. If I read your earlier replies right, you're using Azure AD, which means putting your LAN router out in the cloud, which is moderately insane unless you have multiple sites and thus have a need for them to communicate over the Internet anyway.

All of the services based on RADIUS are better suited for your thread's purpose. The main downside is that RADIUS creates a second login system, parallel to your AD setup. If you wanted single sign-on authentication, you're back to AD.

And on the other-other hand, having a RADIUS server separate from your AD setup can be an advantage, since it lets you use ugly X.509 certificates for authenticating a few key services, then use weaker passwords and MFA setups for interactive logins.

Again, all of this is full-time security career stuff, not "tick the GUI checkbox and suddenly I'm secure" stuff.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Securing a small network

Sun May 08, 2022 12:57 am

What I meant by running AD as service was a way to control the machine's in the work environment with the GPO. The radius for EAP has nothing to do with AD, of course, it can be migrated but there is no need if I understand the topic requirement correctly. UM will do the job nicely.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Securing a small network

Sun May 08, 2022 1:10 am

@own3r1138
I owe you a favor :roll:
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Securing a small network

Sun May 08, 2022 1:11 am

I hold you to it <3
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sun May 08, 2022 12:50 pm

I've been thinking more about this problem, and I'd like to raise the level of the discussion.

Before I get to that, I want to set WiFi aside, because it already does a much better job of authenticating access to the network than Ethernet. The networking equipment providers have developed things to the point that there is nearly no such thing as unauthenticated access any more. Even in the case of coffee shop WiFi, you've got things like HotSpot to tie unauthenticated users to a guest VLAN or similar. For the purposes of this subthread, we can consider the WiFi leg of this problem "solved."

What I want to talk about instead is the problem of randos plugging untrusted equipment into live Ethernet ports.

We've dealt with physical security and disabling ports above. That still leaves a hole in the conversation relative to WiFi: given that there's a practical limit to such measures, how do we prevent those rogue connections from accessing anything important? Either such traffic should be shunted out to a guest LAN, or it should be denied entirely.

Above, I claimed that RouterOS's dot1x facility is "leaky." The basis for that claim is this quote in the docs:

After client is successfully authenticated, the interface will accept all received traffic on the port. If the interface is connected to a shared medium with multiple hosts, the traffic will be accepted from all hosts when at least one client is successfully authenticated.

That behavior has been independently verified. All you need to do to break RouterOS's dot1x security is interpose a dumb Ethernet switch. Anyone plugging into one of the spare ports left after the 2 needed to pull this trick off ride along with the lone authenticated connection. Until that's fixed, I consider RouterOS's dot1x implementation a form of security theater. We can disregard it for the purposes of threads like this one.

On thinking about why this sorry state exists, I realized that it's nearly inevitable. To solve it, you need some way to identify particular clients after they've authenticated. If MAC 11:22:33:44:55:66 does the EAPOL dance for dot1x successfully, what happens? The switch learns that 11:22:33:44:55:66 can send packets, is what. Doesn't that just put us back in the MAC filtering problem brought up at the top of this thread? Sprinkle in a little ARP poisoning, and now anyone that can connect to the network can claim to be 11:22:33:44:55:66 and ride along with the legitimate host's authentication.

I did some web searching and found that this problem was anticipated and solved back in 2006 with 802.1AE, called MACsec by analogy to IPsec. Basically, it establishes an encrypted L2 tunnel, rather than the normal L3-L4 tunnels of VPNs. Unfortunately, RouterOS doesn't appear to support 802.1AE.

That got me to thinking: couldn't you use one of RouterOS's many VPN technologies to solve this?

Above, I dismissed the option of IKEv2/IPsec/L2TP on an intra-LAN basis as "overkill." Not only is it more complicated to set up and manage than any other VPN technology, it's likely to break any protocol based on broadcast or multicast.

Thankfully, that family of over-engineered tech isn't our only option. In particular, RouterOS is getting a ZeroTier Controller feature in 7.3. Doesn't that solve both sets of problems? That is, the wish for authenticated wired network access and simplicity of configuration?

To those that would dismiss this solution because ZeroTier runs only on MikroTik's ARM devices at the moment, observe that the best alternative we have so far is physical security. For the price of a single custom-made sheet steel box fitted to an Ethernet-equipped device, you can get one of several RouterOS products fit to this purpose.

For the OP's case, I think the PCIe card version of the CCR2004 might work nicely: put it in the office's main server, and turn off the insecure motherboard Ethernet ports in the UEFI config so all of its services bind to the internal virtual interfaces instead, forcing all the traffic through the RouterOS layer. Configure RouterOS on the card to block anything that isn't ZeroTier, so that until the server's ZeroTier client connects to RouterOS, it offers no services.

Regardless of the device you choose, if you use ZeroTier as your intra-LAN security layer like this, unauthenticated clients see nothing but a bunch of pseudorandom noise flying by, just as with modern secure WiFi. It isn't until you authenticate with the ZeroTier controller that you can see the "real" network services.

This is also good psychology: anyone going to the effort to hijack an open Ethernet port most likely just wants to screw off on company time, surfing the Internet or whatever. If their duties are light enough to let them get away with this, for the purposes of this technical forum, why not let them? The ZeroTier layer inoculates the business network from their infections, so the two parties can share the medium in peace. Any perceived problem beyond this is a local people management issue, thus off-topic here.

What am I missing here? Have I cracked the problem?

I do realize that none of this solves the problem of malware worms and such coming in over "secure" channels. If a trusted client gets pwned, it's on the secure network, and bad things can still happen. I intend this solution only to solve the problem of untrusted hosts doing the same type of thing.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Securing a small network

Sun May 08, 2022 8:54 pm

Yeah I must say it's starting to feel borderline conspiratorial how everything is still so MAC orientated given how insecure that is, not to mention that pretty much all smartphones by default seem to alternate their wifi MACs nowadays, which is a royal pain (definitely going to look at the PEAP setup for that though).

I'm gonna have to do this whole thing in phases it seems, thinking I might just start off with RADIUS for DHCP to get things going and then at some point maybe look at some form of internal VPN setup. I suppose WireGuard would also work fine, wouldn't it? I've developed a real liking to it and busy changing over all my SSTP connections.

Anywho, thanks for all the advice and guidance πŸ˜‰πŸ‘

PS. The .1X thing definitely seems like a good idea, they must just somehow limit it to a single src MAC or something so there can be no "tethering" ... I can't imagine that being so complicated.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sun May 08, 2022 9:09 pm

it's starting to feel borderline conspiratorial how everything is still so MAC orientated given how insecure that is

No, it's just a reliance on a very old technology that was never intended for security. The very fact that mobile clients now randomize their MAC to avoid tracking is proof: there's nothing unique per host about the MAC, as long as the vendor sticks within their OUI assignment(s).

The proper sort of solution here is a client certificate, which is behind much of what we've discussed above. Unlike a MAC, that is intended to be used for security, and it is unique per-host.

I suppose WireGuard would also work fine, wouldn't it?

The beauty of ZeroTier is that it's a virtual network switch, creating a type of mesh network. All of the peers connected to a given virtual switch can see each other. To accomplish something similar with point-to-point networks like WireGuard will add a lot of routing complexity to your RouterOS configuration. I love me some WireGuard, but it really isn't the right sort of technology for this purpose.

they must just somehow limit it to a single src MAC or something so there can be no "tethering" ... I can't imagine that being so complicated.

The point I tried to make above is that if all you do is tie dot1x to a whitelist of MAC addresses, it's still subject to spoofing.

Thus certificates, encryption, and all the other measures we've invented in the past decades for solving this sort of problem.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Sun May 08, 2022 9:20 pm

@rules
Lots of stuff others have provided. My suggestion is KISS … keep it simple ….
Unless you have a handle on your network users requirements in line with the bosses objectives you will run into trouble.
Once requirements are understood the rest is easy since the objectives must match the capabilities of your gear.
Most importantly is physical security and credential security and both must be air tight.
I have seen many networks over_engineered by over zealous admins that completely frustrated their users … many of those simply have no idea what it means to meet business objectives.

When building firewalls the KISS approach never fails.
Incoming trafic
Outgoing traffic
Internal traffic
Only allow what is needed everything else is dropped

Most small businesses academic in nature and Under 100 employees do not need more that 30 rules max
If the business is not academic but highly technical then your rule count will grow to perhaps between 30 to 50 all depending on the level of collaboration between departments and regardless of complexity KISS still applies … experience is the best teacher … learn from your mistakes.

My average rule count numbers between 25 and 27 …. Clients are very satisfied.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: Securing a small network

Sun May 08, 2022 10:37 pm

Oh believe me, KISS and the 20/80 rule (20% of the effort completes 80% of the work) is what I live by. At this point I'm just trying to find my feet so I can come up with the most viable solution, but seems like it's gonna be a steep learning curve (like when I switched on that first Mikrotik and tried to setup a VPN πŸ™ˆ a few years back).

My only concern with Certificates is, who installs them? As soon as you pass it on to a user there is no longer accounting for where it ends up (even if they delete it, it more than likely will just end up in the Recycle Bin, waiting for someone to find it). I remember with the VPNs I could set the profile to only allow a single connection, which worked well, but it still leaves a gap when the legit device is not connected.

Even with a certificate, I suppose the only way to get "total protection" is still to run a VPN of sorts as nothing else will encrypt your data, right? AD/RADIUS/etc. is just padlocks on the door, after that all data is still readable.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Sun May 08, 2022 10:58 pm

My only concern with Certificates is, who installs them?

Windows Server can be a complete CA, for this very sort of purpose.

As soon as you pass it on to a user there is no longer accounting for where it ends up

Sure, but it's unique and unforgeable. The very fact of someone who isn't authorized to have it presenting it is proof of unauthorized copying or fraud.

You really need to read up on this before commenting further.

it more than likely will just end up in the Recycle Bin

Not likely. It gets loaded into the client's key store, which is out of sight, out of mind, for the most part. Someone would have to go well out of their way to delete a key you'd pushed down to them via the Windows management tool set. Up-thread, own3r1138 spoke of Windows GPO, with which you can actually make it impossible for the user to modify the key store.

This isn't the place to learn how to administer AD CS and such. We could help you if you wanted to use RouterOS as a CA, but since you seem to have an AD deployment you're happy with, I can't come up with a good reason not to use it as a CA.

VPNs I could set the profile to only allow a single connection, which worked well, but it still leaves a gap when the legit device is not connected.

My idea with ZeroTier is that if you connect physically to the Ethernet network, you aren't connected to the "real" network yet. Yes, you can send packets to others on that unsecured network, and yes, you may be able to access the Internet, but until you authenticate with the ZT controller, you see nothing else.

At this point, you're all but asking me to implement it for you and thereby prove its utility. That isn't going to happen. Either you're going to do some research and figure out if I'm correct and if my solution is applicable, or this is where the discussion will end.

AD/RADIUS/etc. is just padlocks on the door, after that all data is still readable.

LDAP and RADIUS are user authentication services. What happens once a user authenticates is outside either protocol.

Windows relies on AD/LDAP authentication to let you into other protected services, such as desktop login, file sharing, SharePoint, etc.

RouterOS uses RADIUS to let you into the services listed at the top of the User Manager article in the docs.

Neither technology encrypts your network. That's why I'm suggesting ZeroTier, becuse it does that, among other things. It uses random hex strings instead of X.509 certificates, but the idea is the same.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Sun May 08, 2022 11:33 pm

@rules
For VPN I strongly suggest WireGuard … you do not need certificates …. You do not need VPN for internal … VPN for road worrier on demand only … use Radius only if you have mission critical otherwise it’s overkill … mission critical where money or valuable secrets …..
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Securing a small network

Mon May 09, 2022 12:40 am

You do not need VPN for internal

Perhaps you haven't been reading from the first. The OP's primary concern is employees or perhaps even strange customers plugging unauthorized devices into the network. MAC address filtering is bogus, dot1x is weak, and physical security is imperfect. What else would you suggest, other than an intra-LAN VPN of some sort?
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Mon May 09, 2022 2:15 am

@tangent
Yes I understand but I will not accept poor security disciplines …. I made that clear earlier.
Physical device security is a must as is credential security. If the business cannot afford effective security disciplines no amount of technical hoops will prevent rogue intentions who gain physical access.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Securing a small network

Mon May 09, 2022 2:47 am

Do you have a guard standing 24/7 next to each network outlet, preventing unauthorized persons from plugging anything into it? ;)
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Mon May 09, 2022 12:25 pm

@Sob
Nope. Let me clarify ... Router. Switches are in secure area. If Zero Trust then Cameras are used to monitor and staff are properly trained. The security paradigm can be as tight as budget allows.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Securing a small network

Mon May 09, 2022 1:02 pm

Regular office, computers connected using ethernet. Cleaning lady (who may actually be a spy) comes when nobody else is around, unplugs one computer, plugs in own device and has access to network like any employee. She doesn't have user account, but can still scan the network, etc. How do you deal with that?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Securing a small network

Mon May 09, 2022 1:11 pm

Let me get my popcorn.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Securing a small network

Mon May 09, 2022 1:45 pm

Regular office, ......
If the Office is high security then measures can be taken to protect the nodes etc ... it all depends on the budget and network access control via Network Intrusion Detection systems ...
Money and knowledge determines what will be done.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Securing a small network

Mon May 09, 2022 2:43 pm

Do you have a guard standing 24/7 next to each network outlet, preventing unauthorized persons from plugging anything into it? ;)
Agree with Mozerd. If its a business its also financial security to protect hardware from damage or theft, let alone security.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Securing a small network

Mon May 09, 2022 2:54 pm

Really (excluding wireless) it is not necessary to connect something to the ethernet network directly...
Just use a bootable USB drive on a "certified" PC...
The password on the "bios", if the office is empty, is useless if the "cleaning lady" opens the PC to reset the BIOS password...
Or wrong settings permit to read TPM or similar and decrypt files inside OS, etc, etc, etc...

Who is online

Users browsing this forum: akakua, ItchyAnkle, Lumpy, menyarito and 86 guests